package pl.edu.icm.unity.unicore.samlidp.saml;

import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.exceptions.SAMLRequesterException;
import eu.unicore.samly2.exceptions.SAMLServerException;
import eu.unicore.samly2.messages.SAMLVerifiableElement;
import eu.unicore.samly2.trust.SamlTrustChecker;
import eu.unicore.samly2.validators.ReplayAttackChecker;
import java.time.Duration;
import pl.edu.icm.unity.saml.validator.WebAuthRequestValidator;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestDocument;
import xmlbeans.org.oasis.saml2.protocol.AuthnRequestType;

/* loaded from: input_file:pl/edu/icm/unity/unicore/samlidp/saml/WebAuthWithETDRequestValidator.class */
public class WebAuthWithETDRequestValidator extends WebAuthRequestValidator {
    public WebAuthWithETDRequestValidator(String str, SamlTrustChecker samlTrustChecker, Duration duration, ReplayAttackChecker replayAttackChecker) {
        super(str, samlTrustChecker, duration, replayAttackChecker);
    }

    public void validate(AuthnRequestDocument authnRequestDocument, SAMLVerifiableElement sAMLVerifiableElement) throws SAMLServerException {
        AuthnRequestType authnRequest = authnRequestDocument.getAuthnRequest();
        super.validate(authnRequestDocument, sAMLVerifiableElement);
        if (!getRequestedFormat(authnRequest).equals("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName")) {
            throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_REQUEST_UNSUPP, "Requested identity type must be set to X.500 for ETD creation query");
        }
    }

    protected void validateIssuer(AuthnRequestType authnRequestType) throws SAMLServerException {
        checkX500Issuer(authnRequestType.getIssuer());
    }

    protected void checkX500Issuer(NameIDType nameIDType) throws SAMLRequesterException {
        if (nameIDType == null) {
            throw new SAMLRequesterException("Issuer of SAML request must be present in SSO AuthN");
        }
        if (nameIDType.getFormat() == null || !nameIDType.getFormat().equals("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName")) {
            throw new SAMLRequesterException(SAMLConstants.SubStatus.STATUS2_REQUEST_UNSUPP, "Query identity type must be set to X.500 for ETD creation query");
        }
        if (nameIDType.getStringValue() == null) {
            throw new SAMLRequesterException("Issuer value of SAML request must be present in SSO AuthN");
        }
        try {
            X500NameUtils.getX500Principal(nameIDType.getStringValue());
        } catch (Exception e) {
            throw new SAMLRequesterException("Issuer value of SAML request is not a valid X.500 name: " + e.getMessage());
        }
    }
}
